Introduction to Microsoft Mobile Device Management

I'm currently settling in to a new job where I'm spending a fair amount of time working with Microsoft's Mobile security management tools, mostly Microsoft Intune. This is largely what I was doing towards the end of my old job too, and while there's some great people writing great material out there, I think there's a lack of articles that try to start at the beginning with current (as of April 2019) tools and pull all the strands together, so that's what we're going to talk about here.

First of all, let’s talk about some industry standard terms that you might see in this article and everywhere else.

Mobile Device Management (MDM) - this refers to management tools for smartphones, tablets, and also more recently laptops and desktops. MDM tools typically apply policies to devices (or users) that control how the device the user is working with operates.

If you’re used to using Active Directory management of devices then you might consider MDM to be loosely similar to GPOs applied to a desktop machine to control the basic environment.

Mobile Application Management (MAM) - This refers to the management of the applications themselves on a mobile device. MAM differs from MDM in that MAM allows us to have more granular control over the behaviour of different applications without necessarily taking control of the whole device (though it’s possible and often desirable to use device and application policies together).

Data Loss Prevention (DLP) - Systems that monitor data and attempt to spot unauthorised access, modification or sharing.

Enterprise Mobility Management (EMM) - This term encompasses MDM, MAM, mobile user security and data loss prevention tools (DLP) working together with user account security (e.g. multi-factor authentication, detection and blocking of “risky” logins) to try and provide a secure environment for mobile workers.

Microsoft's EMM product family.

Microsoft refer to their product family as "Enterprise Mobility + Security" and not surprisingly, it's designed to integrate with Office 365 and Azure Active Directory.

There are several different levels of Microsoft Intune, each with different levels of functionality and different benefits.

Mobile Device Management for Office 365

This is the basic package for Office 365 Business subscribers and is bundled with the Office 365 enterprise packages. It gives you a simplified dashboard for enrolling and managing mobile devices and Windows clients, and is designed to offer a simple "baseline" level of control over mobile access to data and services for businesses using Office 365.

Microsoft Intune

Microsoft Intune is the full Microsoft "MDM experience", allowing you to fully manage devices and applications in Office 365/Azure Active Directory. It allows you to enrol devices, assign policies to groups of users in a similar way to MDM for O365, but also adds full MAM capability, allowing you to apply granular controls to applications that are using your data without necessarily having to enrol the device into MDM.

Intune adds support for Mac OS to the list of devices that can be managed.

Enterprise Mobility + Security

EMS is the full package. It requires (or provides, depending on how you look at it) a subscription that includes Azure Active Directory (AAD) premium, and provides you with everything that Microsoft Intune itself allows, along with  vastly improved safeguards for user accounts and data.

In Summary

If this seems confusing then don't worry - it is a little confusing. You can think of the three packages above as "Good, Better, Best" and try to think about what your requirements are. For example, if you're running a relatively small business and you primarily use Office 365 to deliver email via Exchange Online and you simply want to provide some controls around how all your users access email away from the office then you may find that MDM for O365 does enough for you.

If you’re running a rather more sophisticated cloud presence where you’re making use of more Office 365 capabilities, where your users might be a bit more mobile, or logging in from a wider range of devices and you wish to be able to control application use from BYOD devices, or you have users running MacOS, then Microsoft Intune is probably the right level for you.

If you’re after still more granular control, if you wish to have different sets of requirements for access to systems, if you’re running a large business who places a lot of data and services in the cloud, if you wish to track data and user access patterns in detail and lock down access to applications or data depending on different levels of “risk” attached to a log-in attempt (e.g. risky sign-ins) then you will need the full Microsoft EM+S licence.

 

As ever with Microsoft, there are many different combinations of licences you can buy and assign to your users to give you these capabilities. I’m not going to break them down in detail here but in broad strokes, you can think of the basic Office 365 E3 enterprise licence (or A3 for education) as giving you MDM for O365.

You can add Intune by itself as a specific item if you just need slightly more control on top of the basic package, and if you need Office 365 and EM+S then you probably should look at the Microsoft 365 Enterprise packages that provide Windows licences, Office 365 licences and EM+S all in one package. There are all kinds of options and deals available depending on what you need so other than pointing out that the different tiers are there, I’m not even going to attempt to explain them here.

I’ve already talked about some more advanced concepts such as using Intune to deliver Password resets to Windows domain devices, and in the next post I will look at assigning licences and enrolling devices.